PsExec
PsExec is a free Windows Sysinternals tool that can be used to execute programs on remote computers. Unlike comparable tools that allow execution of programs on remote systems, such as Telnet, PsExec is a lightweight replacement with complete interactivity for console applications.
PsExec’s most powerful features include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig.
Use case(s)
PsExec is a good tool to use during red team engagements. It is popular among pen-testers, sysadmins, and hackers because it is a trusted Windows binary; this makes it extremely useful for executing commands on other Windows machines. Pen-testers primarily use PsExec for lateral movement on a domain.
It is also important to recognize PsExec usage from a blue team’s point of view, as there are several examples of malware using PsExec during its infection/execution. For example, Petyaand Thrip use PsExec and WMIC (Windows Management Instrumentation Console) to move laterally (spread) through a network. A relevant mitigation for attacks using PsExec is to ensure remote connections are restricted to administrative accounts that require it for their role and/or to block relevant binaries used during PsExec’s execution.
There are various authentication methods and network protocols that can be used to authenticate to remote systems and spread across networks. PsExec authenticates using SMB and either plaintext credentials or an NTLM hash supplied by the user.
The process begins by opening an SMB session using credentials supplied by the user to authenticate. PsExec then writes programs to the ADMIN$ network share and starts the PSEXESVC.exe binary as a service using Service Control Manager (SCM) to execute commands on remote systems (this requires admin privileges on the remote machine).
Usage
PsExec can run processes remotely with no manual installation of software on the remote system, which makes deployment easy. You can copy the PsExec tool onto your executable path and use it directly by typing “psexec”.
The basic syntax for the PsExec command is as follows:
psexec [\\remote_computer_IP] [options] cmdYou can specify the path of the program on the remote computer you want to run, but if a path is not provided PsExec will look in the \Windows\System32* folder. Alternatively, a program which is saved locally can be run on the remote system by specifying the -c flag when using the psexec command.*
These are some of the suite’s most useful tools: AccessChk, AccessEnum, AdExplorer, AutoRuns, ProcDump, ProcExp, PsExec, SysMon, ProcMon, Handle, PortMon, PsLogList, PsTools, ShareEnum, Sigcheck, Streams, Strings, TCPView, WhoIs.
procDump
ProcDump is a tool included in the Windows Sysinternals suite. It allows system administrators to monitor applications for CPU spikes or unhandled exceptions and provides a way to filter these. It can also generate crash dumps while monitoring an application or take full dumps of a process’s memory.
the good side
As mentioned before, when used by system administrators, ProcDump offers great debugging and monitoring capabilities to ensure applications are running correctly and generate a full report in case they crash. ProcDump has the capability to see exceptions even if they are handled in the target application.
the dark side
In the wrong hands, ProcDump offers a stealthy way to steal credentials from target systems. It is signed by Microsoft which means it will not be flagged by Antivirus solutions.
background
Local Security Authority Subsystem Service (LSASS) is the Windows process that handles authentication and password changes and creates access tokens. At startup it loads the registered Security Support Providers (SSP); these are extensions the LSASS process uses to keep users’ credentials in different formats to be used later in various types of authentication.
The most infamous credential stealing malware is called Mimikatz. It allows a malicious user who has compromised a Windows host to steal the credentials of all other logged-in users. This is done by hooking into the LSASS process and reading the information held by SSPs.
Nowadays, many SIEM and Endpoint Detection and Response Solutions are trained to catch and protect against Mimikatz. Attackers, however, have found a clever way to circumvent this using ProcDump, a tool signed by Microsoft itself. ProcDump can be used to take a memory dump of the LSASS process, which can then be analysed offline on the attacker’s own box using Mimikatz. In the attached png you can see such analysis happening on an LSASS process memory dump.
procExp
process explorer
Like Task Manager, Process Explorer can be used to review the resources being used by active processes. However, Process Explorer can provide much more detailed information that may be useful for more advanced users and system administrators. With Process Explorer, users are able to list all current processes and their associated relationships, identify the files or directories in use, and kill entire process trees.
While Process Monitor is used to build a log of the activity associated with each process, Process Explorer provides users with an interactive overview of the system in real time. Process Explorer enables users to pause real-time updates and take a snapshot to examine the values at a specific time, which is useful for static analysis. There are some situations, however, where it would be more appropriate to use Process Monitor to analyse system processes.
There are many instances where a user may want to use Process Explorer; for example, a user may wish to check which Dynamic-Link Libraries (DLLs) are used by a process, or identify which process has locked a file and prevented it from being moved/deleted. Furthermore, the ability to identify and kill an entire process tree avoids creating orphan processes.
suspicious processes
Process Explorer boasts several features that can assist with identifying malware and suspicious processes. Firstly, users can review the Company Name associated with each process; any that don’t contain an entry or appear misspelled, such as ‘Microsoft Corporation’, warrant further investigation.
In addition to reviewing the Company Name, users can also check if the process has a Verified Signer to ensure that it originates from a trusted source. Although it may be the case that legitimate software has not been signed, this can also be another indicator that more investigation is needed.
virustotal
When it comes to identifying malware, the ability to check VirusTotal is perhaps one of the most useful features of Process Explorer. Users are able to check a running process against the information stored on virustotal.com and submit unknown executables. This will return a value such as ‘45/72’, which indicates how many antivirus providers have identified the process as a security risk.
As a general rule, the higher the number, the more likely it is that the process is malicious. A low score of 2/72 is likely to indicate a false positive. However, it is also possible that it is relatively new malware that has not yet been identified by many antivirus providers.
AccessChk
AccessChk is a tool provided as part of the Windows Sysinternals suite. It is used to identify which users or groups have access to specific resources (such as files, registries and Windows services).
Once it has been downloaded, AccessChk can be run using the command line interface. Assuming it has been added to the executable path, AccessChk can be run by entering accesschk. This will provide a list of the different options, as well as the inputs required to use this tool.
use cases
AccessChk is often used by System Administrators to ensure they have created a secure environment. However, this tool is also used by red team analysts and penetration testers. By identifying potentially vulnerable services, a hacker may be able to escalate privileges, obtaining access to system resources which were previously unavailable.
usage
To list the permissions of a specific folder, the following syntax can be used:
accesschk.exe -sd User c:\Path\To\Folder
Here, -s and -d options have been set to tailor the search. The -s option is used to recursively search sub-folders within the directory, whereas the -d option is used to only scan directories, ignoring the individual files.
Once this command has been executed, AccessChk will return a list of all folders the named user has access to. Each folder will be prefixed with R or RW to indicate whether the user has read-only or read/write access.
To review the permissions of Windows services, the following command can be used:
accesschk -cwv *
The -c option indicates that the name given (a wildcard in this instance) is a Windows service. -w has also been set to focus on services with write access, and -v is used to provide more detailed information.
psExec
strings
Strings is one of the tools provided in the Windows Sysinternals Suite. It enables users to view the embedded ASCII and UNICODE strings within executables or objects. Strings is often used in place of tools that only show standard ASCII strings, such as ‘grep’. It is a free tool provided by Microsoft and can be downloaded here.
The basic syntax for using strings is as follows:
strings immersive.exe
Just like any other command in the Windows command line, you can pass the /? option to display the Help text for that command. In this case it would be strings /?.
See below for an example
why strings
Binary analysis looks at analysing raw binaries that compose a complete application, which is useful when there isn’t access to the source code. Binary analysis is a technique used by security analysts to help reverse engineer malicious applications to understand how they work, and identify malicious activity and the aims of the application.
One of the basic things to look for when analysing binaries is ASCII or UNICODE strings that may stand out. When passing a file or binary to the strings tool, it will print out a list of all UNICODE or ASCII strings that are embedded in the file.
some examples
In this lab you are tasked with analysing and identifying information from a handful of files on a users Desktop using strings.
Thick-client applications
Some web apps will often have front-end applications (for desktop or mobile) that communicate back to the app. These applications tend to generate network traffic. Many developers, due to its ease of use, choose to use HTTP as a form of sending data to and from an application. You may use strings to find network credentials, and hidden and unused endpoints. Doing so can help identify how an application communicates with a web server on a network.
Findstr
A useful command line tool for searching specific text patterns in files. Findstr is the Windows equivalent of the grep command on Linux. Strings will output a lot of text and information when searching through a file. It is possible to filter through that noise and search for specific strings by piping the output from Strings to findstr.
strings immersive.exe | findstr “http”
This command will run strings against a file called immersive.exe and pipe the output to findstr to look for any string that contains ‘http’.
Character limiting
The default configuration for string length in the tool is to list all strings that are greater than three-characters long; however, you can specify the tool with the -n flag to increase the minimum string length. It can be useful to sift through all the noise by limiting the amount of characters you wish to see in a string.
strings -n 6 immersive.exe
sig check
Sigcheck is a Sysinternals tool that can be used to verify digital signatures, helping to differentiate between legitimate and harmful files. This is great for investigating if a malicious file is masquerading as a legitimate Windows binary.
The tool has also integrated the VirusTotal API, which allows the user to send all the scanned files to be checked against multiple antivirus engine databases.
usage
Sigcheck is an executable command-line tool that can be used to scan a system for suspicious, executable images. There are several useful parameters that can be used with the command. The most basic syntax is as follows:
sigcheck.exe
Sigcheck can also scan all of the files in a specified directory. For example, the following command-line option can be used to find all the unsigned and potentially malicious files hidden within the System32folder.
sigcheck -u C:\Windows\System32
For more information on how to use this tool, type sigcheck into a Command Prompt or PowerShell window.
It’s common for attackers to hide malware in the C:\Windows\System32 directory, as System32 is where Windows stores a lot of legitimate binaries, meaning it would be difficult to distinguish one from the other. In this lab, you are part of a company’s internal blue team. Your Threat Intelligence sources have identified that a malicious adversary has gained a foothold into the internal network, and has installed a piece of malware onto an employees machine. However, due to the lack of sophistication by the attacker, the binary is unsigned. This means it can be found using a number of options with Sigcheck.
Your job is to track down the malicious .exe binary and answer a few more questions using the Sigcheck tool and its various flags and options.
sddelete
Part of the Sysinternals suite, SDelete enables users to permanently and securely delete a file/directory from their OS. For more information on the tool, the official documentation from Microsoft is available here.
When deleting a file in Windows, you are only removing the reference to the file from the Master File Table. The Master File Table is essentially an index that keeps track of the location of each file. This means that once a file is deleted, the space it occupied in memory is now available to be written to with another file (though the contents of the deleted file still exists). This also means these files can be recovered using a common forensic methodology.
With SDelete, as well as removing the pointer from the MFT, the deleted files have their contents overwritten with random data. This process ensures that the file is securely deleted. A basic secure delete renders data unrecoverable to most common forensic and data recovery tools.
SDelete also features a disk clean option and an overwrite function. The overwrite function enables the user to specify the number of overwrite passes the tool makes (the default is one).
Adversaries can utilise the overwrite function of SDelete to fill existing files on a compromised machine with randomised data, making them irrecoverable. By using SDelete in this manner, operations and availability to resources in an organisation can be interpreted and limited.